DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments
	This office action responds to the amendments filed on April 27, 2021 for application 16/815,881.  Claims 1, 3, 6-7, 19, and 20 were amended, claims 2 and 9 were cancelled, and claims 1-20 remain pending in the application.
Response to Arguments
	The Applicant’s arguments filed on April 27, 2021 have been fully considered, and the Examiner responds as provided below.
	Regarding the Applicant’s response at page 7 of the Remarks that concerns the double patenting rejection, the double patenting rejection, as detailed below, will be held in abeyance until allowable subject matter is identified.
	Regarding the Applicant’s response at page 8 of the Remarks that concerns the objection to claim 19, the amendment to claim 19 corrects the typographic error and the objection is withdrawn.
Regarding the Applicant’s response at page 8 of the Remarks that concerns the § 112(b) rejection of claims 6 and 7, the amendment to claim 6 adequately address the issue and the rejection is withdrawn.
Regarding the Applicant’s response at pages 8-13 of the Remarks that concerns the § 103 rejection of independent claims 1, 19, and 20, the Examiner respectfully 
Regarding the Applicant’s response at pages 13-14 of the Remarks that concerns the § 103 rejection of the dependent claims, the arguments for patentability rest upon the patentability of the independent claims.  Because the independent claims are not patentable over the prior art as detailed below, the dependent claims similarly fail to comprise allowable subject matter.
The Examiner presents the following comments to address the significant points raised by the Applicant to rebut the § 103 rejection.  In conjunction with incorporating the limitation of claim 2 into the independent claims 1, 19, and 20, the Applicant argues at pages 11 and 12 of the Remarks that “Yung … does not disclose communications between a rule engine and a controller,” and that “SSL would not be suitable for the system of Koponen, for communications between the MFEs [managed forwarding elements] and the network controllers in each ‘Domain.’”  Remarks p. 11-12.  The Applicant further states, “Yung discloses secure communications, i.e. SSL, however this is not in relation to communications between a rules engine and controller.”  Remarks p. 12.    
The Examiner respectfully dismisses this argument for two reasons.  First, arguments relying upon a “rule engine” are not likely to lead to allowable subject matter, as a “rule engine” is a broad feature, which is to say, it is a figurative representation employed within claim language to effectively capture the underlying complexities of the system.  In reviewing the independent claims for patentability, the Examiner reviewed the underlying concept captured by the claims and Koponen (the primary reference). 
Second, the Examiner respectfully dismisses the notion that the teaching of SSL is not relevant to the rejection of the independent claims.  A “secure communication” is broadly claimed within the independent claims, and a specific teaching of a specific type of communication is sufficient to read on a generically claimed limitation (e.g., the teaching of a thumb tack reads on a fastener).  Finally, the Applicant’s published application (US 2020/0213364) states at ¶ [0177], “In some embodiments, the data flows passing through the rules engine may be encrypted for example SSL.”  Thus, the teaching of SSL is relevant to the limitations within the independent claims.
	The Applicant amended independent claims 1, 19, and 20 to include the limitations previously presented in now canceled claim 9.  In association with the amendment of “us[ing] different keys to communicate with different … controllers,” the Applicant argues that “[t]here is no suggestion within Sood that the mechanism of using separate cryptographic keys would be suitable to be used between controllers in hardware.”
	The Examiner respectfully dismisses this argument because even though Sood may not literally disclose a controller, it would be obvious to a person of ordinary skill in the art to use different keys for different components having different communication channels.  Such a conclusion is consistent with patent law in which the references in an obviousness rejection need not literally teach each and every element – some claim 
	In short, the Applicant attempts to parse too fine of a line between the claimed subject matter and the prior art, but the Examiner is not persuaded due to the close relationship or conceptual similarities between the claimed subject matter and the cited prior art references.
	In the interview conducted with the Attorney on June 23, 2021, the Examiner suggested that the Applicant file proposed amendments with an AFCP request to ensure that the amendments filed with an RCE meaningfully advance prosecution.  As an example of an amendment that would meaningfully advance prosecution, the Examiner observes the use of two rules engines as illustrated in Fig. 5 (of the filed application), with one of the rule engines residing within a hypervisor.  In contrast, Koponen is silent to the use of an MFE with respect to a hypervisor.  Thus, amendments centered upon this relationship may meaningfully advance prosecution.  The Examiner provides this suggestion as an illustration of an amendment that takes the claimed subject to a different level of specificity, as the prior art prevents an 

Claim Objections
Claim 3 is objected to because of the following informalities:  claim 3 depends upon itself, where as it should depend upon claim 1.  Appropriate correction is required.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim 1 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 10,601,874 (hereinafter the “‘874 patent”) in view of Koponen et al. (US 2015/0009796, hereinafter “Koponen”).  Claim 1 of the ‘874 patent include a “rules engine” and “controller,” while claim 1 of the instant application includes a plurality of rules engines and controllers.  Within the instant application, each rules engine functions to receive data flows, determine information based upon the data flows, and provide state information to any of the controllers.  Within the ‘874 patent, the rules engine receives data flows and determines information about the data flows by parsing and matching frames (noting that this is not state .  
In contrast to claim 1 of the instant application, claim 1 of the ‘874 patent does not teach a plurality of rules engines and controllers; any of the rules engines providing state information to any of the controllers; and one of the controllers sharing the state information with any of the other controllers.  Koponen, however, teaches a plurality of “managed forwarding elements” (“MFEs”) that act as “rules engines, see Koponen Fig. 2, ¶¶ [0042]-[0046], and a plurality of “network controllers.”  See id.  Koponen further teaches that the plurality of MFEs provide state information to other controllers, i.e., “[t]he MFE interface 315 also allows the network controller 300 to receive state information from the MFEs.”  See Koponen ¶ [0079].  Finally, Koponen teaches that  
a network controllers may “communicate with other network controllers in its domain as well as controllers in other domains in order to exchange network state information.””  See Koponen Figs. 2-3, ¶ [0076].  Accordingly, claim 1 of the instant application is obvious with respect to claim 1 of the ‘874 patent in view of Koponen. 
	Regarding the combination of the ‘874 patent and Koponen, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified claim 1 of the ‘874 patent to have included the network state information features of Koponen. One of ordinary skill in the art would have been motivated to incorporate the network state information for two reasons.  First, the nature of switched packet networks in which data are divided into packets requires a tracking 
	Independent claims 19 and 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of the ‘874 patent in view of Koponen for the same reasons as provided for claim 1 of the instant application.
	Claim 2, which involves secure communication, is rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 and 9 of the ‘874 patent in view of Koponen, as claim 9 of the ‘874 patent teaches secure communication.
	Claim 3, which involves a rule engine communicating with a controller, is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of the ‘874 patent in view of Koponen teaching this feature in Fig. 2.  The rationale to combine is the same as provided for claim 1.
	Claim 4, which involves the use of different keys, is rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 and 3 of the ‘874 patent in view of Koponen, as claim 3 of the ‘874 patent teaches the use of different keys.
	Claim 8, which involves secure communication, is rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 and 9 of the ‘874 patent in view of Koponen, as claim 9 of the ‘874 patent teaches secure communication.
.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

(NOTE: within the Examiner’s parenthetical explanations below, material within quotation marks is language quoted from the prior art reference, underlined material is language quoted from the claims, and material within brackets is material altered from either a prior art reference or a claim.  Regarding the reconstruction of the claims, a numbered footnote indicates a primary phrase to be first moved upwards to the first cited reference, while a lettered footnote indicates a secondary phrase to be moved after the movement of the primary phrase from which it was lifted.  Or more succinctly, 
move numbered material first, lettered material last.)
A.	Claims 1, 3-4, 8, and 10-20 are rejected under 35 U.S.C. 103 as being unpatentable over Koponen et al. (US 2015/0009796, “Koponen”) in view of Yung (US 7,778,194, “Yung”), and further in view of Sood et al. (US 2016/0127333, “Sood”).
Regarding Claim 1
Koponen discloses
A system (abstract, Fig. 2) comprising: at least one rule engine (Fig. 2, ¶¶ [0006], [0039], “The state information provided to the MFEs [managed forwarding elements that act as rule engine[s]] directs [via rule[s]] the MFEs in terms of how to process packets sent to and from machines (e.g., virtual machines) that are part of the logical network;” and ¶ [0046], “That is, in some embodiments, the network controllers provide the network state information to the MFEs that instructs the MFEs as to how to forward logical network packets.”), provided between a network and an application (Fig. 2, ¶¶ [0042]-[0045], i.e., an application is taken as the application that implements virtual machine “VM 1,” where “MFE 220” of “Domain 1” is a rule engine that resides between “VM 1” and a network that comprises “Domain 2” and “Domain 3”), and which is configured to: 
receive data flows, said data flows being between the network and the application (Fig. 2, ¶ [0042], “In this figure, solid lines between entities represent data plane communications (i.e., data traffic between VMs),” e.g., “data traffic” is receive[d] by “MFE 220” that can originate from “Domain 3” and be sent to “VM 1”); and 
1 …. of said data flows (Fig. 2, ¶ [0042]) and, in dependence on said data flow information (¶¶ [0104]-[0106], “the network controller 300 receives a state update;” see also Yung Figs. 5A-B, Col. 10:62-11:34 regarding “state data”), perform actions with respect to said data flows (¶¶ [0104]-[0106], e.g., “to drop packets” based upon a “state update,” noting other actions are possible); and 
a plurality of controllers (Fig. 2, ¶ [0046], “The network controllers 250-260…”), each of said controllers being configured to provide, …2 , control information to the at least one rule engine to define one or more actions performable with respect to said data flows (Fig. 2, ¶ [0042], “…dashed lines between entities represent control communications (e.g., exchange of network state either between network controllers or between a network controller and a MFE),” and ¶ [0046], “The network controllers 250-260 of some embodiments are responsible for managing the MFEs 220-245 in order for the MFEs to implement logical networks, including the logical network 100.”), 
wherein the at least one rule engine is configured to: provide state information, …3 , relating to at least some of the received data flows (¶ [0079], “The MFE interface 315 also allows the network controller 300 to receive state information from the MFEs. This may include collection of statistics regarding the physical ports of the MFEs and/or the logical ports that the MFEs implement, other information that may cause the network controller 300 to perform additional state computation, etc.”) to one or more of the plurality of controllers (¶ [0079], “The MFE interface 315 also allows the network controller 300 to receive state information from the MFEs.”), 
wherein the one or more of the plurality of controllers are configured to share the state information received with others of the plurality of controllers (Figs. 2-3, ¶ [0076], “The interface 305 to other controllers enables the controller 300 to communicate with other network controllers in its domain as well as controllers in other domains in order to exchange network state information.”), 
4 …,
wherein said rule engine comprises hardware, one or more programmable hardware processors, or a combination of both (¶¶ [0200]-[0201], “Many of the above-described features and applications are implemented as software processes that are , 
wherein said plurality of controllers each comprise hardware, one or more programmable hardware processors, or a combination of both (¶¶ [0200]-[0201]).
Koponen doesn’t disclose
	1 determine data flow information…
	2, 3 …, via secure communications,…
	4 wherein the one or more of the plurality of controllers (of Koponen) are configured to use different keys to communicate with different ones of the others of the plurality of controllers,
Yung, however, discloses
	1 determine data flow information… (Figs. 5A-B, Col. 10:62-11:34, “methods directed to the classification of data flows” that determine data flow information related to “state data” that acts as state information)
	2, 3 …, via secure communications,… (Col. 4:9-37, i.e., the use of SSL provides a secure communication, further noting that nothing within the claim language indicates SSL is not appropriate, and further noting that a specific teaching reads on a generic element (i.e., a species anticipates a genus))
Sood, however, discloses
	4 wherein the one or more of the plurality of controllers are configured to use different keys to communicate with different ones of the others of the plurality of controllers  (¶ [0034], “It should be appreciated that, in some embodiments, each VNF 202, VNFC 214, process flow, and/or communicative entity pairing (e.g., particular VNF 202 and other VNF 202) may have a separate cryptographic key (or set of cryptographic keys) for secure communication,” i.e., the “separate cryptographic keys” can be used for the different communication channels between the plurality of controllers in a virtualized environment as disclosed in Koponen and Sood),
	Regarding the combination of Koponen and Yung, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the network system of Koponen to have included the data-flow classification feature of Yung. One of ordinary skill in the art would have been motivated to incorporate the data flow information feature of Yung because Koponen discusses the production of “physical network statistics received from the MFEs,” see Koponen ¶ [0053], and the data-flow classification feature of Yung enables the gathering of data to compile the statistics as taught by Koponen.  Additionally, one of ordinary skill in the art would have been motivated to incorporate the secure communication feature of Yung because Koponen discusses a network involving the Internet, see Koponen ¶ [0045], and “[t]he Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of message transmission on the Internet,” see Yung Col. 4:9-37. 
	Regarding the combination of Koponen-Yung and Sood, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the network system of Koponen-Yung to have included 
Regarding Claim 3
Koponen in view of Yung, and further in view of Sood (“Koponen-Yung-Sood”), discloses the system as claimed in claim 2, and Koponen further discloses 
wherein the at least one rule engine comprises a plurality of rule engines each configured to communicate with at least one of the controllers (Fig. 2 by inspection; see also ¶¶ [0042]-[0046]). 
Regarding Claim 4
Koponen-Yung-Sood discloses the system as claimed in claim 3, and Koponen further discloses
wherein different rules engines…1 (Fig. 2, ¶¶ [0042]-[0046]).
Sood further discloses
	1 …use different keys to communicate with the same one of the controllers (¶ [0034], “It should be appreciated that, in some embodiments, each VNF 202, VNFC 214, process flow, and/or communicative entity pairing (e.g., particular VNF 202 and other VNF 202) may have a separate cryptographic key (or set of cryptographic keys) for secure communication,” i.e., the “separate cryptographic keys” can be used for the different communication channels between the rules engines and controllers in a virtualized environment as disclosed in Koponen and Sood).
	Regarding combination of Koponen-Yung and Sood, the rationale to combine is the same as provided in claim 1 due to the overlapping subject matter between claims 1 and 4.
Regarding Claim 8
Koponen-Yung-Sood discloses the system as claimed in claim 1, and Koponen further discloses 
wherein communication between each of the plurality of controllers…1 (Fig. 2, ¶¶ [0042]-[0046]).
Yung further discloses
1 …is secure (Col. 4:9-37, i.e., the use of SSL provides a secure communication).
Regarding combination of Koponen and Yung, the rationale to combine is the same as provided in claim 2 due to the overlapping subject matter between claims 2 and 8.
Regarding Claim 10
Koponen-Yung-Sood discloses the system as claimed in claim 1, and Koponen further discloses 
wherein the state information…1 (¶ [0079]). 
Yung further discloses
1 …relating to at least some of the received data flows (Figs. 5A-B, Col. 10:62-11:34) comprises a flow counter for each of at least one of the received data flows (Col 11:35-12:5 “traffic classification engine 86 also maintains an SSL packet flow count, incrementing the SSL packet flow count for a given SSL connection (308) upon detection of a SSL packet”).  

Regarding Claim 11
Koponen-Yung-Sood discloses the system as claimed in claim 1, and Koponen further discloses
wherein the state information (¶ [0079]) relating to at least some of the received data flows (¶ [0042], “solid lines between entities represent data plane communications (i.e., data traffic between VMs)”) comprises delivery information for at least one of the received data flows (¶ [0046], “That is, in some embodiments, the network controllers provide the network state information to the MFEs that instructs the MFEs [via delivery information] as to how to forward logical network packets,”).
Regarding combination of Koponen and Yung, the rationale to combine is the same as provided in claim 1 due to the overlapping subject matter between claims 1 and 11.
Regarding Claim 12
Koponen-Yung-Sood discloses the system as claimed in claim 1, and Koponen further discloses
wherein the at least one rule engine (Fig. 2, ¶¶ [0042]-[0046]) is configured to: store in at least one data store of the at least one rule engine, the state information (¶ [0046], “That is, in some embodiments, the network controllers provide the network state information to the MFEs that instructs the MFEs as to how to forward logical data store); and 
update the state information held in the at least one data store for at least some of the received data flows (¶ [0059], “Upon reconnection, to ensure that the most updated state is provided to the MFEs at each of the different domains, some embodiments provide transactional updates to the different failure domains.”).  
Regarding Claim 13
Koponen-Yung-Sood discloses the system as claimed in claim 1, and Koponen further discloses
wherein the updating the state information (¶ [0059]) comprises…1 
Yung further discloses
1 …incrementing a flow counter for the at least one of the received data flows (Col. 7:60-8:23, “If the packet is part of an existing flow, the packet processor 82 associates the packet with the corresponding flow object and updates flow object attributes as required (110). For example, the packet processor 82, in one embodiment, increments the packet count associated with the flow (116).”).
Regarding combination of Koponen and Yung, the rationale to combine is the same as provided in claim 1 due to the overlapping subject matter between claims 1 and 13.  
Regarding Claim 14
Koponen-Yung-Sood discloses the system as claimed in claim 1, and Koponen further discloses
wherein the updating the state information (¶ [0059]) comprises…1 
Yung further discloses
1 …inserting information about a new flow (Fig. 4, Col. 7:11-59, ”A flow object, in one implementation, is a data structure including fields whose values characterize various attributes of the flow, including source and destination IP addresses, port numbers, traffic class identifiers and the like (see Section B.1., below).” and “If a flow object is not found, packet processor 82 constructs a new flow object (106)” that is incorporated or insert[ed] into the state information).  
Regarding combination of Koponen and Yung, the rationale to combine is the same as provided in claim 1 due to the overlapping subject matter between claims 1 and 14.
Regarding Claim 15
Koponen-Yung-Sood discloses the system as claimed in claim 1, and Koponen further discloses 
wherein sharing of state information enables failover from one of the controllers to another of the controllers (¶ [0038], “Some embodiments provide novel techniques for managing a logical network that is implemented across multiple failure domains (i.e., portions of a physical network which could become disconnected from each other),” and ¶ [0107], “When global state information is modified at a disconnected controller, this state needs to be shared with controllers at other domains upon reconnection.”). 
Regarding Claim 16
Koponen-Yung-Sood discloses the system as claimed in claim 1, and Koponen further discloses
wherein the at least one rule engine (Fig. 2, ¶¶ [0042]-[0046]) is configured to: 
Yung further discloses
parse frames of the received data flows (Col. 5:53-6:23, “the packet processor 82 is operative to process data packets, such as storing packets in a buffer structure, detecting new data flows, and parsing the data packets for various attributes (such as source and destination addresses, and the like)”); 
determine a match of one or more frames of one of the received data flows to data flow information stored in a data store (Fig. 1, Col. 6:24-40, i.e., the “persistent memory 76” acts as a data store, the memory 76 is part of a “traffic monitoring device” that performs in similar fashion to the engine device that is disclosed by Koponen as a MFE) of the at least one rule engine (Col. 5:53-6:23, “the packet processor 82 is operative to process data packets, such as storing packets in a buffer structure, detecting new data flows, and parsing the data packets for various attributes (such as source and destination addresses, and the like);” and Col. 7:60-8:23, “As FIG. 4 shows, if the data flow does not match an existing traffic class (115), packet processor 82 or traffic classification engine 86 flags the packet for traffic discovery (116).”), where the comparison to determine a “match” requires the storage of an already existing traffic classification in memory (i.e., the data store); and 
in response to the determined match, perform one of said actions with respect to said one of the received data flows (Col. 7:60-8:23, “As discussed above, traffic monitoring device 30 may perform other operations, such as firewall or gateway operations, packet capture operations, and/or bandwidth management functions,” and Col. 18:23-55, “A discard policy causes flow control module 132 to discard or drop data packets [as an action] or flows associated with a particular traffic class.”). 

Regarding Claim 17
Koponen-Yung-Sood discloses the system as claimed in claim 1, and Koponen further discloses 
wherein said data flow information comprises header information (Col. 4:11-59, “flows are identified based on the following flow attributes: 1) source IP address, 2) destination IP address, 3) source port number, 4) destination port number, and 5) protocol (derived from the “protocol” field in IPv4 headers, and the “NextHeader” field in IPv6 headers).”).
Regarding combination of Koponen and Yung, the rationale to combine is the same as provided in claim 1 due to the overlapping subject matter between claims 1 and 17.  
Regarding Claim 18
Koponen-Yung-Sood discloses the system as claimed in claim 1, and Koponen further discloses
wherein the one or more of the plurality of controllers (Fig. 2, ¶¶ [0042]-[0046]) are configured to…1 
1 …periodically query the at least one rule engine for updates to the state information (Col. 7:60-43, i.e., “For example, traffic discovery module 84 can monitor data flows in real time to discover traffic classes in the data flows, or store flagged packets and process the stored packets periodically to discover new traffic classes,” i.e., update[] state information suggests the action of query[ing] by the rule engine).

Regarding Independent Claims 19 and 20
With respect to independent claims 19 and 20, a corresponding reasoning as given earlier for independent claim 1 applies, mutatis mutandis, to the subject matter of claims 19 and 20. Therefore, claims 19 and 20 are rejected, for similar reasons, under the grounds set forth for claim 1. 
B.	Claims 5-7 are rejected under 35 U.S.C. 103 as being unpatentable over Koponen in view of Yung and Sood, and further in view of He et al. (US 2010/0037311, “He”).
Regarding Claim 5
Koponen-Yung-Sood discloses the system as claimed in claim 3, and Koponen further discloses
wherein each of the controllers …1 (Fig. 2, ¶¶ [0042]-[0046]).
Koponen-Yung-Sood doesn’t disclose
1 …receives a list of public keys for communicating with at least some of the rule engines.
He, however, discloses
1 …receives a list of public keys for communicating with at least some of the rule engines (¶¶ [0042]-[0045], “The SSL server 120 maintains a list of current SSL connections, and this is updated when the connection is torn down (290). Typically the list will comprises the public keys of the respective client nodes 160,” and “This received] and translated into the appropriate format for the policy engine 130;” see also ¶ [0010] that relates to the virtualized environment and establishing secure encrypted connections between two client nodes.).
Regarding the combination of Koponen-Yung-Sood and He, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the network system of Koponen-Yung-Sood to have included the list feature of He. One of ordinary skill in the art would have been motivated to incorporate the list feature of He because Yung discusses the use of SSL for secure communication between two nodes, see Yung Col. 4:9-37, and He advantageously broadens the employment of SSL between multiple nodes via the use of a public key list. 
Regarding Claim 6
Koponen in view of Yung and Sood, and further in view of He (“Koponen-Yung-Sood-He”) discloses the system as claimed in claim 5, and He further discloses
wherein the list of public keys includes a digital signature (¶ [0042], “A certificate authority (CA) will sign certificates [that creates a digital signature] for both the server and client's public keys,”), 
Sood further discloses
wherein each of the controllers is programmed securely with a key of the list of public keys required to verify this digital signature (¶ [0034], “Additionally, the NFVI [network function virtualization infrastructure] module 402 may utilize fuse/root keys (e.g., established by OEM [original equipment manufacturer] or component .
Regarding the combination of Koponen-Yung and He, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the network system of He to have included the digital signature feature of He. One of ordinary skill in the art would have been motivated to incorporate the digital signature feature of He because the digital signature feature of He is a standard computer security protocol for ensuring the authenticity of public keys. 
Regarding the combination of Koponen-Yung-He and Sood, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the network system of Sood-Yung-He to have included programmable-key feature of Sood. One of ordinary skill in the art would have been motivated to incorporate the programmable-key feature of Sood because Sood teaches that such a method provides a “foundational cryptographic key,” see Sood ¶ [0034], which increases the efficiency of managing keys in a system.  
Regarding Claim 7
Koponen-Yung-Sood-He discloses the system as claimed in claim 5, and He further discloses 
wherein the list of public keys is received from a trusted repository (¶ [0042], “A certificate authority (CA) will sign certificates…”), 
wherein each of the plurality of rules engines (of Koponen, Fig. 2) is configured to receive (Koponen, Fig. 2, i.e., the illustrated communication paths) public keys for communicating with one of the plurality of controllers from the trusted repository (¶¶ . 
Regarding combination of Koponen-Yung-Sood and He, the rationale to combine is the same as provided in claim 5 due to the overlapping subject matter between claims 5 and 7.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to D'ARCY WINSTON STRAUB whose telephone number is (303)297-4405.  The examiner can normally be reached on Monday-Friday 9:00-5:00 Mountain Time.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ASHOKKUMAR B PATEL can be reached on (571)272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/D'Arcy Winston Straub/Examiner, Art Unit 2491                                                                                                                                                                                                        

/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491